Lake Shore Savings Bank in Dunkirk, New York, disclosed in a financial statement to investors that it had suffered a data breach after hackers gained access to customers’ personal information.
The bank, which recently reported it has just under $600 million of deposits from customers mostly in western New York, said it had “identified unauthorized access to certain data in its internal systems,” but did not disclose who gained access or how.
The bank told affected customers their name, address, and account numbers were leaked in the Nov. 24 attack. It said it had “no evidence” that the information had been “misused” and offered customers identity protection services.
During the incident, employees temporarily lost access to internal systems and data, according to a filing with the Securities and Exchange Commission. Companies can lose access to their systems in various forms of attack, including ransomware and denial of service attacks. The bank did not immediately respond to requests for comment.
The SEC in 2018 issued guidance that publicly traded companies “should consider the materiality of cybersecurity risks and incidents when preparing the disclosure that is required in registration statements.” According to Jina Choi, a partner at the law firm Morrison & Foerster, the SEC does not consider every cybersecurity incident “material,” meaning some incident disclosures do not end up in public filings.
Since January, at least four regional banks and credit unions have told customers they suffered a data security incident, many of which took place months before customers received the notifications.
Six other financial services firms, including credit card issuer Discover, also sent notices about data breaches. Cybersecurity firm Venafi also suffered a breach.
Vermont’s attorney general posts notifications companies send to data breach victims who live in the state. Vermont law requires companies that collect personal information to report to affected customers and the state’s attorney general within 45 days when they discover a security incident has occurred.
In each of the cases disclosed to Vermont residents this year, some combination of their name, Social Security number, financial account information, card information and state or federal ID numbers (including passports and military IDs) were affected. Many banks also offered credit monitoring services to affected customers, typically between 12 to 24 months.
The cybersecurity incidents come after such hacks surged during the pandemic and lawmakers and regulators, from the Securities and Exchange Commission to the Federal Deposit Insurance Corp., weigh and implement new reporting requirements.
Prominent among those efforts is a bill before President Biden that would require companies that operate the country’s “critical infrastructure,” including banking and IT services, to report security incidents to the government within 72 hours of identifying a breach.
The three other financial institutions that have informed Vermont residents about a security incident so far this year are Central Bank in Florida, First National Bank of Hughes Springs in Texas and Envision Credit Union in northern Florida and southern Georgia.
